NOTICE OF PRIVACY PRACTICES
EFFECTIVE 10/01/2024
NOTICE FOR USE AND SHARING OF PROTECTED HEALTH INFORMATION
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW THIS NOTICE CAREFULLY.
If you have any questions, please address them to the contact person listed at the bottom of this notice.
We at Acupuncture and Integrative Medicine Associates of Nashua, PLLC and AIMA Functional Medicine, hereinafter referred to as “AIMA”, pledge to give you the highest quality health care and to have a relationship with you that is built on trust. This trust includes our commitment to respect the privacy and confidentiality of your health information. The word “AIMA” in this Notice includes Acupuncture and Integrative Medicine Associates of Nashua, PLLC, AIMA Functional Medicine, and all of its employees. AIMA provides health care to our patients in partnership with other professionals and health care organizations. The information privacy practices in this notice will be followed by any health care professional that treats you at any of our locations. While each of these facilities and affiliates operates independently, they may share your health information for coordination of care, treatment, payment and healthcare operations purposes. We understand that medical information about you is personal. We are committed to protecting medical information about you. We create a record of the care and services you receive to provide quality care and to comply with legal requirements. This notice applies to all of the records of your care generated by any of the separate facilities and providers described above. We are required by law to keep medical information about you private, give you this notice of our legal duties and privacy practices with respect to medical information about you and follow the terms of the notice that is currently in effect. This Notice is being given to you because federal law gives you the right to be told ahead of time about how we will handle your medical information, our legal duties related to your medical information, and your rights with regard to your medical information.
A. HOW WE MAY USE AND DISCLOSE (SHARE) YOUR PROTECTED HEALTH INFORMATION
When you need health care, you give information about yourself and your health to doctors, nurses, and other health care workers and staff. This information, along with the record of the care you receive, is “protected health information” (or “health information”). The information in your medical record is kept in paper form and/or in an electronic form. AIMA uses your health information within its system, and shares your health information outside its system in order to give you excellent medical care. AIMA uses and shares your health information for other reasons that can include medical research and training new health care workers. AIMA may share your health information with outside health care providers for purposes such as treatment or research. This Notice tells you how AIMA uses and shares your health information for these and other purposes. It also tells you when we need to get your specific permission to do so.
- Treatment, Payment, and Health Care Operations
Except where prohibited by New Hampshire state or federal laws, AIMA may legally use and share your health information for treatment, payment, and health care operations. We do not need to ask for your specific permission to do these things, as explained below:
Treatment: AIMA health care providers will use and share your health information to provide and manage your health care and related services. We may send information about you to a specialist as part of a referral or for coordination of care. For example, your health care provider may refer you to a specialist such as a surgeon. The specialist may tell you that you need to be admitted to the hospital for surgery. In this example, all of the health care providers will share medical information about you whether they are in the AIMA system or not. This is to coordinate your care before, during and after you go into the hospital. AIMA will share information with other third parties, such as home health agencies, visiting nurses, rehabilitation hospitals, and ambulance companies. It will also share information with those who treated you before you went into the hospital and with those who will treat you in the future. This helps to make sure that everyone caring for you has the information they need.
Payment: AIMA will use and share your health information to bill and collect payment for the health care services it gives to you. For example, if you have health insurance, your health care provider will share your medical information with the insurance company or government agency (for example, Medicare or Medicaid). The insurance company uses the information to tell if you are eligible for benefits or if the services you received were medically needed.
Health Care Operations: AIMA may use and share your health information for activities that are known as health care operations. These are activities that are needed to operate its facilities and carry out its mission. Some of the information is shared with outside parties who perform these health care operations or other services on behalf of AIMA (“business associates”). These business associates are also required to keep your health information private. For example, we may share your information with others who invoice insurance companies on our behalf, provide us with software support to assist with maintenance of our computer systems, or evaluate our operations to help us improve. Other examples of activities that make up health care operations include: monitoring the quality of care and making improvements where needed, comparing patient data to improve treatment methods, making sure health care providers are qualified to do their jobs, reviewing medical records for completeness and accuracy, meeting standards set by regulating agencies, teaching students and health professionals, using outside business services (such as, transcription, storage, auditing, legal or other consulting services), storing your health information on computers and managing and analyzing medical information. In addition, we may use a sign-in sheet for registration where you will be asked to sign your name and indicate your health care provider, or we may call you by name in the waiting when you are ready to be seen. We may use and disclose health information to contact you at the address, email address and telephone numbers you give to us (including leaving messages at the telephone numbers, sending text messages, and sending emails to the email addresses) including information about scheduled, rescheduled, cancelled or missed appointments, registration/insurance updates, and billing or payment matters. Unless you inform us otherwise, we may provide you with a reminder phone call, text message, or email reminder of your appointment date and time, general nature of the appointment and the name of the provider you will be seeing.We also may use and disclose health information to tell you about patient care issues, offer follow up care instructions, provide you with the opportunity to participate in a survey, tell you about other health care providers, treatment choices and treatment alternatives, or to tell you about products or health-related benefits and services that may be of interest to you.
- Uses and Disclosures (Sharing) of Your Health Information for Other Purposes
AIMA may legally use and/or share your health information with others for the following purposes without your specific permission: as required by state and federal laws and regulations, for public health purposes and activities, including required reports to the state public health and child protection authorities, and to agencies such as cancer registries and the federal Food and Drug Administration, with regard to abuse and neglect reporting, for health oversight activities, audits or inspections, for legal and administrative proceedings or in response to valid judicial or administrative orders or other legal processes, for law enforcement purposes under specific conditions such as reporting when someone is the victim of a crime, with regard to people who have died, for funeral arrangements, to coroners, medical examiners and funeral directors, for organ, eye or tissue donation at death, to avert a serious threat to your health or safety or the health or safety of others, for emergencies, for national security and specialized government operations, for members of the Armed Forces as required by Military Command authorities, as authorized by and as necessary to comply with workers compensation laws, for permissible public health, health care operations, and research purposes when limited identifiable information is used or shared, and for research that is approved by an AIMA Research Committee or its designee when written permission is not required by federal or state law. This may also include preparing for research or telling you about research studies in which you might be interested.You will never receive care solely for research purposes without your consent. However, in some cases, informational research may be done without your written authorization. For example, AIMA’s researchers may work with health information that does not include names or other personal information.AIMA may use or disclose health information for research that is approved by an AIMA Research Committee if it involves minimal risks, protects against misuse and disclosure, and meets other legal requirements. Staff may use health information to prepare for research or contact you about research studies for which you qualify.Health information acquired, used, or created for research may be used or disclosed for care, payment, health care operations, or other purposes where authorization is not required. For example, we may tell your doctors of clinical research activities that could affect your care.
- Uses and Disclosures (Sharing) of Information that Require Your Written Permission (Authorization)
Using and/or disclosing health information for most purposes other than treatment, payment, or health care operations (for example, for many, but not all, research and marketing purposes) requires your specific authorization. Your written permission is needed for any use or sharing of your health information not described in this Notice. For example, we need written permission if we were to use or share your information for marketing purposes or if we were to sell your information. Your authorization (permission) must describe who will use, disclose and/or receive your health information, the purpose of the use or disclosure, and your signature. You may cancel your permission in writing at any time by submitting your cancellation request to the same person to whom you gave your written authorization. Although we cannot take back any disclosure we already made with your authorization, we will make reasonable efforts to notify persons we have shared it with of your wishes.
Furthermore, certain information that may be contained in your medical record is considered by state and Federal law to be highly confidential, including, for example, HIV testing or test results, certain clinical therapy documentation and certain genetic information. Only limited psychiatric or HIV information may be disclosed for billing purposes without your authorization. If you are treated in a specialized substance abuse program, your special authorization will be needed for most disclosures other than emergencies. Therefore, this type of information gets additional protection from disclosure, often requiring your written authorization even before disclosure for treatment, payment or health care operations.
- Uses and Disclosures That Require Us to Give You an Opportunity to Object and Opt Out
Fundraising Activities: We may contact you regarding our fundraising activities. You may opt out of receiving communications regarding our fundraising activities at any time. If you do not wish to be contacted for our fundraising efforts, please notify us in writing at the address or email address provided below.
Individuals Involved in Your Care or Payment for Your Care: Unless you object, we may disclose to a member of your family, a relative, a close friend or any other person you identify, your protected health information that directly relates to that person’s involvement in your health care. If you are unable to agree or object to such a disclosure, we may disclose such information as necessary if we determine that it is in your best interest based on our professional judgment.
Disaster Relief: We may share information necessary for disaster relief activities with the Red Cross or other similar relief agencies so that we can tell your family members where you are, your health condition, to coordinate your care or to assist with coordination of other relief services.
Display Items You Share with Us: We may display photographs, letters, cards, artwork or other items that you give us. We may display these items, but we will not show your full name, address or other identifying information. Please tell us if you do not want this information displayed when you give it to us.
B. YOUR RIGHTS WITH RESPECT TO YOUR HEALTH INFORMATION AND HOW TO EXERCISE THEM
The Right to Ask for Limits on the Use and Sharing of Your Health Information: You have the right to ask for restrictions on the use and sharing of your health information for treatment, payment, or health care operations. You can also ask for restrictions on using this information to notify you about appointments, etc. AIMA is not legally required to agree to your request. If we do, we must put the restriction in writing and abide by it except if you need to be treated in an emergency. You may not ask us to restrict uses and sharing of information that we are legally required to make. All requests must be made in writing to the contact person listed at the end of this Notice.
Right to Revoke an Authorization: You have the right to change your mind after you sign a permission form allowing AIMA to release your protected heath information. You can cancel your written permission at any time. If you cancel your permission, we will not release any more of your information of which you are entitled to prevent us from disclosing. However, we cannot take back information we have already released.
The Right to Restrict Disclosure of Encounter Information for Out-of-Pocket-Payments: If you paid out-of-pocket (or in other words, you have requested that we not bill your health plan) in full for a specific item or service, you have the right to ask that your protected health information with respect to that item or service not be disclosed to a health plan, including Medicare, for purposes of payment or health care operations, and we will honor that request.
The Right to Ask that Your Health Information be Communicated to you in a Confidential Manner: You have the right to ask for your health information to be sent to you in different ways. For example, you may ask that AIMA not contact you with appointment reminders by telephone, via text message or email, or only call at your work or cell telephone number rather than home. When we request an address, email address and telephone number(s) to contact you, it is your responsibility to give us contact information such as telephone number(s) and an address that will allow us to carry out our needs to reach you and care for you. We may request that the method and location where you wish to be contacted be in writing and that you contact us with any changes to this information. AIMA must agree to any reasonable request and will not ask you to explain the reason for your request. AIMA can require you to give information as to how a payment will be handled, and what address a bill should be mailed to.
The Right to Get Notice of a Breach: You have the right to be notified upon a breach of the privacy or security of your protected health information.
The Right to Look at and Get a Copy of Your Health Information: You have the right to look at and get a copy of your health information that AIMA keeps of your medical treatment and bills. You must ask for this in writing. We will respond within thirty (30) days from receipt of your request. If you ask for a copy of your records, you may be charged a fee. We may not charge you a fee if you need the information for a claim for benefits under the Social Security Act or any other state of federal needs-based benefit program.If your request is denied, we will explain the reasons for denial in writing. If your request is denied you have the right to have the denial reviewed by a licensed healthcare professional who was not directly involved in the denial of your request, and we will comply with the outcome of the review. We may offer to give you a summary or explanation of the information you requested as long as you agree in advance to this and to any fees that it might cost. If you ask for information that we do not have, but we know where it is, we must tell you where to direct your request. Certain information (for example, psychotherapy notes) may be withheld from you in certain circumstances.
The Right to an Electronic Copy of Electronic Medical Records: If your protected health information is maintained in an electronic format (known as an electronic medical record or an electronic health record), you have the right to request that an electronic copy of your record be given to you or transmitted to another individual or entity. We will make every effort to provide access to your protected health information in the form or format you request, if it is readily producible in such form or format. If the protected health information is not readily producible in the form or format you request your record will be provided in either our standard electronic format or if you do not want this form or format, a readable hard copy form. We may charge you a reasonable, cost-based fee for the labor associated with transmitting the electronic medical record.
The Right to Change Your Health Information: You have the right to ask us to change your health information related to your treatment and bills if you think that there has been a mistake or that information is missing. You must make your request in writing and give the reason for why you want the change. We have 60 days to respond to your request. If we are not able to act on the request within the 60 days, we will notify you that we are extending the response time by 30 days. If we extend the response time, we will explain the delay to you in writing and give you a new date of when to expect a response. We will charge a fee for your request and we will notify you of the fee before we do the work. This will give you a chance to stop the request if you do not wish to pay the fee. We may deny your request. If we deny your request, we must give you a written statement with the reasons for the denial, and what other steps are available to you. You may submit a written statement of disagreement with a decision by us not to amend a record. If we grant the request, we will ask you to tell us the persons you want to receive the changes. You need to agree to have us notify them along with any others who received the information before corrections were made, and who may have relied on the incorrect information to give you treatment.
Right to a List of Certain Disclosures of Your Medical Information: You have the right to ask for a list of some health information disclosures. Unless a government agency requests that we delay our response, we will provide you with a list of health disclosures except those that you authorized, made for purposes of treatment, payment of health care operations, those that were made to you, or to others designated by you, those that occurred as a result of permitted uses and disclosures, those that were for national security and intelligence, or to law enforcement or correctional officials, those that do not include identifiable data, or those that were made before April 14, 2003. You must submit your written request to the contact person listed at the end of this Notice.It also does not include sharing information with persons involved in your care or using your information to communicate with you about your health condition.
The Right to Ask for a Paper Copy of this Notice: You may ask for a paper copy of this Notice from the contact person listed at the end of this Notice. You can ask for a paper copy even if you agreed to receive the Notice electronically.
C. OUR DUTIES WITH RESPECT TO YOUR HEALTH INFORMATION
AIMA is required by law to keep your health information private. We are required to give people notice of our legal duties and privacy practices with respect to your health information. AIMA must abide by the terms of the Notice currently in effect. AIMA reserves the right to change its privacy practices and the terms of this Notice at any time. Changes will apply to your protected health information we already have, as well as new information obtained after the change occurs. When we make a significant change in our policies, we will change our Notice and post the new Notice prominently and make it available on our website at www.aimaonashua.com. You can receive a copy of the current Notice at any time by calling the contact person listed at the end of this notice. The effective date is listed just below the title. You will also be asked to acknowledge your receipt of this Notice in writing.
On April 22, 2024, OCR issued a Final Rule, entitled HIPAA Privacy Rule to Support Reproductive Health Care Privacy. The Final Rule strengthens the Health Insurance Portability and Accountability Act of 1996 Privacy Rule by prohibiting the disclosure of protected health information related to lawful reproductive health care in certain circumstances. HHS issued this Final Rule after hearing that changes were needed to better protect patient confidentiality and prevent medical records from being used against people for providing or obtaining lawful reproductive health care. This Final Rule bolsters patient-provider confidentiality and helps promote trust and open communication between individuals and their health care providers or health plans, which is essential for high-quality health care. Public Health as used in the terms ‘public health surveillance,’’ ‘‘public health investigation,’’ and ‘‘public health intervention,’’ means population level activities to prevent disease in and promote the health of populations. Such activities include identifying, monitoring, preventing, or mitigating ongoing or prospective threats to the health or safety of a population, which may involve the collection of protected health information; but such activities do not include those with any of the following purposes:
(1) To conduct a criminal, civil, or administrative investigation into any person for the mere act of seeking, obtaining, providing, or facilitating health care.
(2) To impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating health care.
(3) To identify any person for any of the activities described at paragraphs (1) or (2) of this definition.
Reproductive Health Care means health care, as defined in this section, that affects the health of an individual in all matters relating to the reproductive system and to its functions and processes. This definition shall not be construed to set forth a standard of care for or regulate what constitutes clinically appropriate reproductive health care. The HIPAA Privacy Rule to Support Reproductive Health Care Privacy prohibits the use or disclosure of PHI for any of the following activities:
•To conduct a criminal, civil, or administrative investigation into or impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care, where such health care is lawful under the circumstances in which it is provided.
•The identification of any person for the purpose of conducting such investigation or imposing such liability.
The prohibition applies where the relevant activity is in connection with any person seeking, obtaining, providing, or facilitating reproductive health care and the regulated entity that received the request for PHI has reasonably determined that one or more of the following conditions exists:
•The reproductive health care is lawful under the law of the state in which such health care is provided under the circumstances in which it is provided.
•The reproductive health care is protected, required, or authorized by Federal law, including the U.S. Constitution, under the circumstances in which such health care is provided, regardless of the state in which it is provided.
Reproductive health care provided by a person other than the regulated entity that receives the request for PHI is presumed lawful unless the regulated entity has any of the following:
•Actual knowledge that the reproductive health care was not lawful under the circumstances in which it was provided.
•Factual information supplied by the person requesting the PHI that demonstrates to the regulated entity a substantial factual basis that the reproductive health care was not lawful under the specific circumstances in which it was provided.
Regulated entities are required to obtain an attestation from the requestor that the use or disclosure is not for a prohibited purpose when it receives a request for PHI potentially related to reproductive health care. This requirement applies when the request for PHI is for:
• Health oversight activities
• Judicial and administrative proceedings
• Law enforcement purposes
• Disclosures to coroners and medical examiners
On February 8, 2024, the U.S. Department of Health & Human Services (HHS) through the Substance Abuse and Mental Health Services Administration (SAMHSA) and the Office for Civil Rights announced a final rule modifying the Confidentiality of Substance Use Disorder (SUD) Patient Records regulations at 42 CFR part 2 (“Part 2”). With this final rule, HHS is implementing the confidentiality provisions of section 3221 of the Coronavirus Aid, Relief, and Economic Security (CARES) Act (enacted March 27, 2020), which require the Department to align certain aspects of Part 2 with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Rules and the Health Information Technology for Economic and Clinical Health Act (HITECH).
The Part 2 statute (42 U.S.C. 290dd-2) protects “[r]ecords of the identity, diagnosis, prognosis, or treatment of any patient which are maintained in connection with the performance of any program or activity relating to substance use disorder education, prevention, training, treatment, rehabilitation, or research, which is conducted, regulated, or directly or indirectly assisted by any department or agency of the United States.” Confidentiality protections help address concerns that discrimination and fear of prosecution deter people from entering treatment for SUD.
The modifications in this final rule reflect the proposals published in the December 2, 2022, Notice of Proposed Rulemaking (NPRM), and public comments received from: substance use disorder and other advocacy groups; trade and professional associations; behavioral and other health providers; health information technology vendors and health information exchanges; state, local, tribal and territorial governments; health plans; academic institutions, including academic health centers; and unaffiliated or anonymous individuals. Following a 60-day comment period, HHS analyzed and carefully considered all comments submitted from the public on the NPRM and made appropriate modifications before finalizing.
The final rule includes the following modifications to Part 2 that were proposed in the NPRM:
- Patient Consent
- Allows a single consent for all future uses and disclosures for treatment, payment, and health care operations.
- Allows HIPAA covered entities and business associates that receive records under this consent to redisclose the records in accordance with the HIPAA regulations; however, these records cannot be used in legal proceedings against the patient without specific consent or a court order, which is more stringent than the HIPAA standard.
- Other Uses and Disclosures
- Permits disclosure of records without patient consent to public health authorities, provided that the records disclosed are de-identified according to the standards established in the HIPAA Privacy Rule.
- Restricts the use of records and testimony in civil, criminal, administrative, and legislative proceedings against patients, absent patient consent or a court order.
- Penalties: Aligns Part 2 penalties with HIPAA by replacing criminal penalties currently in Part 2 with civil and criminal enforcement authorities that also apply to HIPAA violations (See 42 U.S.C. 1320d–5 and 1320d-6).
- Breach Notification: Applies the same requirements of the HIPAA Breach Notification Rule to breaches of records under Part 2. Section 13400 of the HITECH Act (codified at 42 U.S.C. 17921) defined the term “Breach”. Section 13402 of the HITECH Act (codified at 42 U.S.C. 17932) enacted breach notification requirements.
- Patient Notice: Aligns Part 2 Patient Notice requirements with the requirements of the HIPAA Notice of Privacy Practices.
- Safe Harbor: Creates a limit on civil or criminal liability for investigative agencies that act with reasonable diligence to determine whether a provider is subject to Part 2 before making a demand for records in the course of an investigation. The safe harbor requires investigative agencies to take certain steps in the event they discover they received Part 2 records without having first obtained the requisite court order.
In addition to finalizing modifications to Part 2 that were proposed in the NPRM, the Final Rule includes further modifications informed by public comments, notably the following:
- Safe Harbor: Clarifies and strengthens the reasonable diligence steps that investigative agencies must follow to be eligible for the safe harbor: before requesting records, an investigative agency must look for a provider in SAMHSA’s online treatment facility locator and check a provider’s Patient Notice or HIPAA Notice of Privacy Practices to determine whether the provider is subject to Part 2.
- Segregation of Part 2 Data: Adds an express statement that segregating or segmenting Part 2 records is not required.
- Complaints: Adds a right to file a complaint directly with the Secretary for an alleged violation of Part 2. Patients may also concurrently file a complaint with the Part 2 program.
- SUD Counseling Notes: Creates a new definition for an SUD clinician’s notes analyzing the conversation in an SUD counseling session that the clinician voluntarily maintains separately from the rest of the patient’s SUD treatment and medical record and that require specific consent from an individual and cannot be used or disclosed based on a broad TPO consent. This is analogous to protections in HIPAA for psychotherapy notes.
- Patient Consent:
- Prohibits combining patient consent for the use and disclosure of records for civil, criminal, administrative, or legislative proceedings with patient consent for any other use or disclosure.
- Requires a separate patient consent for the use and disclosure of SUD counseling notes.
- Requires that each disclosure made with patient consent include a copy of the consent or a clear explanation of the scope of the consent.
- Fundraising: Create a new right for patients to opt out of receiving fundraising communications.
As has always been the case under Part 2, patients’ SUD treatment records cannot be used to investigate or prosecute the patient without written patient consent or a court order. Records obtained in an audit or evaluation of a Part 2 program cannot be used to investigate or prosecute patients, absent written consent of the patients or a court order that meets Part 2 requirements.
D. HOW TO COMPLAIN IF YOU BELIEVE YOUR PRIVACY RIGHTS HAVE BEEN VIOLATED
If you think that we may have violated your privacy rights or you disagree with any action we have taken with regard to your health information, we want you, your family, or your guardian to speak with us. If you present a complaint, your care will not be affected in any way. It is the goal of AIMA to give you the highest quality of care while respecting your privacy. You may file a complaint by contacting the individual listed at the end of this Notice. You may also file a complaint online with the Secretary of the U.S. Department of Health and Human Services, Office for Civil Rights or by calling this department at 1-800-368-1019. We will take no retaliatory action against you if you file a complaint about our privacy practices.
E. PERSON TO CONTACT FOR INFORMATION OR WITH A COMPLAINT
If you have any questions about this Notice or if you have complaints, please contact Information Services at AIMA Functional Medicine, 60 Main Street #310, Nashua, N.H. 03060, telephone number (603) 718-8328 or via email at info@aimaofnashua.com.